Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Routing Problem

I have three networks at work, 172.31.101.0, 172.31.102.0, and 172.31.103.0

172.31.101.0 is where all of my servers reside.

I have IP Cameras at all three site.  When I use cisco anyconnect to start a VPN session I am only able to see the cameras on the 172.31.101.0 network.

 

I am pretty new to this but it seems like I am missing some routes somewhere.

 

Thanks for your help.

Mike

5 REPLIES
Hall of Fame Super Silver

Do your two remote sites

Do your two remote sites connect to the main site via site-site VPN in the same firewall as your remote access VPN? If so, what you're trying to do is known as "hairpinning" and the VPNs need to be setup to allow it.

Basically you need to make sure the networks are allowed in the routes pushed to the client, allow traffic to go back out the same interface it enters on, add the remote access client subnet to the remote net in the access-list for the site-site VPN and make sure it's exempted from NAT. 

There are many articles around detailing how to set this up. One I think is particularly well done is over at packetu.com (link).

Hope this helps.

New Member

Yes,All three sites are

Yes,

All three sites are connected via an MPLS.

I will review the link and post back.  Right now I am having issues with ASDM. I think it's a Java problem though...joy

Hall of Fame Super Silver

If the sites are connected

If the sites are connected via MPLS (and not a site-site VPN that also terminates on the ASA) then more simple routing is most likely your issue.

You can check the routes you're getting while on VPN by opening the AnyConnect GUI and clicking the settings (gear) icon and then looking at VPN, Route Details. You'll need to be getting either a default route (i.e. no split tunnel) or a specified route (or routes) that includes the target subnets.

If that looks good then it's probably routing across the MPLS cloud failing to advertise your address pool for the VPN clients.

New Member

Thank you,Can you give more

Thank you,

Can you give more detail on where I would look within the ASDM GUI.

Thanks

Mike

Hall of Fame Super Silver

I had mentioned the

I had mentioned the AnyConnect GUI, i.e. - see screenshot below.

Those routes are configured in ASDM via "Configuration > Remote Access VPN > Anyconnect Connection Profiles" Check which group policy your connection profile uses. Then go under that Group Policy and select Edit. Expand the Advanced Menu and examine the Split Tunneling settings. The policy should be "Tunnel Network List Below" and the Network List calls out an access-list that specifies your networks that the VPN can access.

 

31
Views
0
Helpful
5
Replies